Abstract

This paper describes an investigation into how an employee using a virtual environment can circumvent any or all of the security, policies and procedures within an organization. The paper discusses the fundamental issues that organizations must address to be able to detect such an attack. Attacks of this nature may be malicious with intent to cause disruption by flooding the network or disabling specific equipment, or non-malicious by quietly gathering critical information such as user names and passwords or a colleague’s internet banking details. Identification of potential residual evidence following an attack is presented. Such evidence may be used to speculate or verify an attack incident occurrence. Additionally, the forensic extraction of any such evidence is discussed. Finally, the paper raises the possibility of a virtual machine being used as an anti-forensic tool to destroy incriminating evidence in such circumstances.